Protecting the Protectors: Data Security in the Insurance Industry

When individuals and organizations experience a crisis, they turn to the insurance industry. Medical, life, and car insurance companies provide support during life’s most difficult circumstances. It is essential, then, that insurance companies build trust with their policyholders by providing excellent customer service and protecting their data.

Unfortunately, a growing data security crisis threatens insurance companies’ reputations with their customers. Shred-it's 2021 Data Protection Report found that insurance companies are more likely than those in any other industries to experience a data breach. Three in four of the insurance companies surveyed have experienced a data breach at some point, with 65% reporting a data breach in the previous year. These breaches can affect both small insurance companies and some of the largest insurance firms in the world. Insurance firms are purchasing their own insurance to protect against ransomware attacks.

Insurance policy providers can be targets because they store large amounts of sensitive information for individuals and businesses. For individual policyholders, insurance companies may collect social insurance numbers, phone numbers, addresses, bank information, and even protected health information (PHI). For businesses, insurance companies are trusted with financial information, names and addresses of employees and, in some cases, information about internal operations.

In 2018, it became mandatory for businesses in Canada to report a data breach under the Personal Information Protection and Electronic Documents Act (PIPEDA). Organizations that are subject to PIPEDA must report any breaches that could cause significant harm to individuals. Victims have to be notified, and all data breaches within an organization must be recorded.

If an insurance company has relatively weak information security protocols, then bad actors have easier access to the insurance company’s data. According to the 2021 Data Protection Report, just half of insurance organizations surveyed have information security policies in place, compared to 64% of healthcare organizations and 72% of financial organizations. Just one in four insurance organizations surveyed perform regular infrastructure auditing and even fewer perform vulnerability assessments.

Additionally, insurance companies tend to be more concerned about internal physical data breaches, as 85% of organizations surveyed said they are concerned about employees leaving confidential materials out on their desks. A simple solution to helping protect vulnerable information is implementing a clean desk policy, which requires employees to shred or securely store any confidential information each time they leave their desk. This type of policy works best when it is paired with a paper shredding service, which only 6% of insurance companies surveyed have.

Insurance companies know how to support other businesses through a crisis, but by investing in proper data security measures, they can be better prepared to protect themselves. Learn more about data protection in the insurance industry by downloading our Data Protection Report infographic and visiting our insurance page.